Changeset 161230 in webkit

Timestamp:

Jan 2, 2014 2:57:14 PM (10 years ago)

Author:

mhahnenberg@apple.com

Message:

Storing new CopiedSpace memory into a JSObject should fire a write barrier
​https://bugs.webkit.org/show_bug.cgi?id=126025

Reviewed by Filip Pizlo.

Technically this is creating a pointer between a (potentially) old generation object and a young
generation chunk of memory, thus there needs to be a barrier.

• JavaScriptCore.xcodeproj/project.pbxproj:
• dfg/DFGOperations.cpp:
• heap/CopyWriteBarrier.h: Added. This class functions similarly to the WriteBarrier class. It

acts as a proxy for pointers to CopiedSpace. Assignments to the field cause a write barrier to
fire for the object that is the owner of the CopiedSpace memory. This is to ensure during nursery
collections that objects with new backing stores are visited, even if they are old generation objects.
(JSC::CopyWriteBarrier::CopyWriteBarrier):
(JSC::CopyWriteBarrier::operator!):
(JSC::CopyWriteBarrier::operator UnspecifiedBoolType*):
(JSC::CopyWriteBarrier::get):
(JSC::CopyWriteBarrier::operator*):
(JSC::CopyWriteBarrier::operator->):
(JSC::CopyWriteBarrier::set):
(JSC::CopyWriteBarrier::setWithoutWriteBarrier):
(JSC::CopyWriteBarrier::clear):

• heap/Heap.h:
• runtime/JSArray.cpp:

(JSC::JSArray::unshiftCountSlowCase):
(JSC::JSArray::shiftCountWithArrayStorage):
(JSC::JSArray::unshiftCountWithArrayStorage):

• runtime/JSCell.h:

(JSC::JSCell::unvalidatedStructure):

• runtime/JSGenericTypedArrayViewInlines.h:

(JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):

• runtime/JSObject.cpp:

(JSC::JSObject::copyButterfly):
(JSC::JSObject::getOwnPropertySlotByIndex):
(JSC::JSObject::putByIndex):
(JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
(JSC::JSObject::createInitialIndexedStorage):
(JSC::JSObject::createArrayStorage):
(JSC::JSObject::deletePropertyByIndex):
(JSC::JSObject::getOwnPropertyNames):
(JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
(JSC::JSObject::countElements):
(JSC::JSObject::increaseVectorLength):
(JSC::JSObject::ensureLengthSlow):

• runtime/JSObject.h:

(JSC::JSObject::butterfly):
(JSC::JSObject::setStructureAndButterfly):
(JSC::JSObject::setButterflyWithoutChangingStructure):
(JSC::JSObject::JSObject):
(JSC::JSObject::putDirectInternal):
(JSC::JSObject::putDirectWithoutTransition):

• runtime/MapData.cpp:

(JSC::MapData::ensureSpaceForAppend):

• runtime/Structure.cpp:

(JSC::Structure::materializePropertyMap):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• GNUmakefile.list.am (modified) (1 diff)
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj (modified) (1 diff)
• JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters (modified) (1 diff)
• JavaScriptCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• dfg/DFGOperations.cpp (modified) (2 diffs)
• heap/CopyWriteBarrier.h (added)
• runtime/JSArray.cpp (modified) (3 diffs)
• runtime/JSCell.h (modified) (1 diff)
• runtime/JSGenericTypedArrayViewInlines.h (modified) (1 diff)
• runtime/JSObject.cpp (modified) (17 diffs)
• runtime/JSObject.h (modified) (10 diffs)
• runtime/MapData.cpp (modified) (2 diffs)
• runtime/Structure.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2014-01-02  Mark Hahnenberg  <mhahnenberg@apple.com>
+
+        Storing new CopiedSpace memory into a JSObject should fire a write barrier
+        https://bugs.webkit.org/show_bug.cgi?id=126025
+
+        Reviewed by Filip Pizlo.
+
+        Technically this is creating a pointer between a (potentially) old generation object and a young 
+        generation chunk of memory, thus there needs to be a barrier.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * dfg/DFGOperations.cpp:
+        * heap/CopyWriteBarrier.h: Added. This class functions similarly to the WriteBarrier class. It 
+        acts as a proxy for pointers to CopiedSpace. Assignments to the field cause a write barrier to 
+        fire for the object that is the owner of the CopiedSpace memory. This is to ensure during nursery 
+        collections that objects with new backing stores are visited, even if they are old generation objects. 
+        (JSC::CopyWriteBarrier::CopyWriteBarrier):
+        (JSC::CopyWriteBarrier::operator!):
+        (JSC::CopyWriteBarrier::operator UnspecifiedBoolType*):
+        (JSC::CopyWriteBarrier::get):
+        (JSC::CopyWriteBarrier::operator*):
+        (JSC::CopyWriteBarrier::operator->):
+        (JSC::CopyWriteBarrier::set):
+        (JSC::CopyWriteBarrier::setWithoutWriteBarrier):
+        (JSC::CopyWriteBarrier::clear):
+        * heap/Heap.h:
+        * runtime/JSArray.cpp:
+        (JSC::JSArray::unshiftCountSlowCase):
+        (JSC::JSArray::shiftCountWithArrayStorage):
+        (JSC::JSArray::unshiftCountWithArrayStorage):
+        * runtime/JSCell.h:
+        (JSC::JSCell::unvalidatedStructure):
+        * runtime/JSGenericTypedArrayViewInlines.h:
+        (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::copyButterfly):
+        (JSC::JSObject::getOwnPropertySlotByIndex):
+        (JSC::JSObject::putByIndex):
+        (JSC::JSObject::enterDictionaryIndexingModeWhenArrayStorageAlreadyExists):
+        (JSC::JSObject::createInitialIndexedStorage):
+        (JSC::JSObject::createArrayStorage):
+        (JSC::JSObject::deletePropertyByIndex):
+        (JSC::JSObject::getOwnPropertyNames):
+        (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
+        (JSC::JSObject::countElements):
+        (JSC::JSObject::increaseVectorLength):
+        (JSC::JSObject::ensureLengthSlow):
+        * runtime/JSObject.h:
+        (JSC::JSObject::butterfly):
+        (JSC::JSObject::setStructureAndButterfly):
+        (JSC::JSObject::setButterflyWithoutChangingStructure):
+        (JSC::JSObject::JSObject):
+        (JSC::JSObject::putDirectInternal):
+        (JSC::JSObject::putDirectWithoutTransition):
+        * runtime/MapData.cpp:
+        (JSC::MapData::ensureSpaceForAppend):
+        * runtime/Structure.cpp:
+        (JSC::Structure::materializePropertyMap):
+
 2013-12-23  Oliver Hunt  <oliver@apple.com>
 

trunk/Source/JavaScriptCore/GNUmakefile.list.am

@@ -503 +503 @@
         Source/JavaScriptCore/heap/CopyVisitor.cpp \
         Source/JavaScriptCore/heap/CopyWorkList.h \
+        Source/JavaScriptCore/heap/CopyWriteBarrier.h \
         Source/JavaScriptCore/heap/ConservativeRoots.cpp \
         Source/JavaScriptCore/heap/ConservativeRoots.h \

trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj

@@ -985 +985 @@
     <ClInclude Include="..\heap\CopyVisitorInlines.h" />
     <ClInclude Include="..\heap\CopyWorkList.h" />
+    <ClInclude Include="..\heap\CopyWriteBarrier.h" />
     <ClInclude Include="..\heap\DeferGC.h" />
     <ClInclude Include="..\heap\DelayedReleaseScope.h" />

trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters

@@ -1629 +1629 @@
       <Filter>heap</Filter>
     </ClInclude>
+    <ClInclude Include="..\heap\CopyWriteBarrier.h">
+      <Filter>heap</Filter>
+    </ClInclude>
     <ClInclude Include="..\heap\DeferGC.h">
       <Filter>heap</Filter>

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -721 +721 @@
                 2A4EC90B1860D6C20094F782 /* WriteBarrierBuffer.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2A4EC9091860D6C20094F782 /* WriteBarrierBuffer.cpp */; };
                 2A4EC90C1860D6C20094F782 /* WriteBarrierBuffer.h in Headers */ = {isa = PBXBuildFile; fileRef = 2A4EC90A1860D6C20094F782 /* WriteBarrierBuffer.h */; settings = {ATTRIBUTES = (Private, ); }; };
+                2A68295B1875F80500B6C3E2 /* CopyWriteBarrier.h in Headers */ = {isa = PBXBuildFile; fileRef = 2A68295A1875F80500B6C3E2 /* CopyWriteBarrier.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 2A6F462617E959CE00C45C98 /* HeapOperation.h in Headers */ = {isa = PBXBuildFile; fileRef = 2A6F462517E959CE00C45C98 /* HeapOperation.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 2A7A58EF1808A4C40020BDF7 /* DeferGC.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 2A7A58EE1808A4C40020BDF7 /* DeferGC.cpp */; };
@@ -2028 +2029 @@
                 2A4EC9091860D6C20094F782 /* WriteBarrierBuffer.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = WriteBarrierBuffer.cpp; sourceTree = "<group>"; };
                 2A4EC90A1860D6C20094F782 /* WriteBarrierBuffer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = WriteBarrierBuffer.h; sourceTree = "<group>"; };
+                2A68295A1875F80500B6C3E2 /* CopyWriteBarrier.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CopyWriteBarrier.h; sourceTree = "<group>"; };
                 2A6F462517E959CE00C45C98 /* HeapOperation.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = HeapOperation.h; sourceTree = "<group>"; };
                 2A7A58EE1808A4C40020BDF7 /* DeferGC.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = DeferGC.cpp; sourceTree = "<group>"; };
@@ -3213 +3215 @@
                                 2A2825CF18341F2D0087FBA9 /* DelayedReleaseScope.h */,
                                 2AAD964918569417001F93BE /* RecursiveAllocationScope.h */,
+                                2A68295A1875F80500B6C3E2 /* CopyWriteBarrier.h */,
                         );
                         path = heap;
@@ -4374 +4377 @@
                                 86ADD1450FDDEA980006EEC2 /* ARMv7Assembler.h in Headers */,
                                 65C0285D1717966800351E35 /* ARMv7DOpcode.h in Headers */,
+                                2A68295B1875F80500B6C3E2 /* CopyWriteBarrier.h in Headers */,
                                 2A4EC90C1860D6C20094F782 /* WriteBarrierBuffer.h in Headers */,
                                 A532439218569709002ED692 /* CodeGeneratorInspector.py in Headers */,

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -852 +852 @@
     ASSERT(!object->structure()->outOfLineCapacity());
     Butterfly* result = object->growOutOfLineStorage(vm, 0, initialOutOfLineCapacity);
-    object->setButterflyWithoutChangingStructure(result);
+    object->setButterflyWithoutChangingStructure(vm, result);
     return reinterpret_cast<char*>(result);
 }
@@ -862 +862 @@
 
     Butterfly* result = object->growOutOfLineStorage(vm, object->structure()->outOfLineCapacity(), newSize);
-    object->setButterflyWithoutChangingStructure(result);
+    object->setButterflyWithoutChangingStructure(vm, result);
     return reinterpret_cast<char*>(result);
 }

trunk/Source/JavaScriptCore/runtime/JSArray.cpp

@@ -322 +322 @@
     newButterfly->arrayStorage()->setVectorLength(newVectorLength);
     newButterfly->arrayStorage()->m_indexBias = newIndexBias;
-
-    m_butterfly = newButterfly;
+    setButterflyWithoutChangingStructure(vm, newButterfly);
 
     return true;
@@ -721 +720 @@
         // the start of the Butterfly, which needs to point at the first indexed property in the used
         // portion of the vector.
-        m_butterfly = m_butterfly->shift(structure(), count);
+        m_butterfly.setWithoutWriteBarrier(m_butterfly->shift(structure(), count));
         storage = m_butterfly->arrayStorage();
         storage->m_indexBias += count;
@@ -858 +857 @@
 
     if (moveFront && storage->m_indexBias >= count) {
-        m_butterfly = storage->butterfly()->unshift(structure(), count);
-        storage = m_butterfly->arrayStorage();
+        Butterfly* newButterfly = storage->butterfly()->unshift(structure(), count);
+        storage = newButterfly->arrayStorage();
         storage->m_indexBias -= count;
         storage->setVectorLength(vectorLength + count);
+        setButterflyWithoutChangingStructure(exec->vm(), newButterfly);
     } else if (!moveFront && vectorLength - length >= count)
         storage = storage->butterfly()->arrayStorage();

trunk/Source/JavaScriptCore/runtime/JSCell.h

@@ -147 +147 @@
         
 #if ENABLE(GC_VALIDATION)
-    Structure* unvalidatedStructure() { return m_structure.unvalidatedGet(); }
+    Structure* unvalidatedStructure() const { return m_structure.unvalidatedGet(); }
 #endif
         

trunk/Source/JavaScriptCore/runtime/JSGenericTypedArrayViewInlines.h

@@ -507 +507 @@
     
     if (thisObject->m_mode == FastTypedArray
-        && !thisObject->m_butterfly && size >= sizeof(IndexingHeader)) {
+        && !thisObject->butterfly() && size >= sizeof(IndexingHeader)) {
         ASSERT(thisObject->m_vector);
         // Reuse already allocated memory if at all possible.
-        thisObject->m_butterfly =
-            static_cast<IndexingHeader*>(thisObject->m_vector)->butterfly();
+        thisObject->m_butterfly.setWithoutWriteBarrier(
+            static_cast<IndexingHeader*>(thisObject->m_vector)->butterfly());
     } else {
-        thisObject->m_butterfly = Butterfly::createOrGrowArrayRight(
-            thisObject->m_butterfly, *heap->vm(), thisObject, thisObject->structure(),
-            thisObject->structure()->outOfLineCapacity(), false, 0, 0);
+        VM& vm = *heap->vm();
+        thisObject->m_butterfly.set(vm, thisObject, Butterfly::createOrGrowArrayRight(
+            thisObject->butterfly(), vm, thisObject, thisObject->structure(),
+            thisObject->structure()->outOfLineCapacity(), false, 0, 0));
     }
 

trunk/Source/JavaScriptCore/runtime/JSObject.cpp

@@ -160 +160 @@
         }
         
-        m_butterfly = newButterfly;
+        m_butterfly.setWithoutWriteBarrier(newButterfly);
         visitor.didCopy(butterfly->base(preCapacity, propertyCapacity), capacityInBytes);
     } 
@@ -284 +284 @@
     case ALL_INT32_INDEXING_TYPES:
     case ALL_CONTIGUOUS_INDEXING_TYPES: {
-        Butterfly* butterfly = thisObject->m_butterfly;
+        Butterfly* butterfly = thisObject->butterfly();
         if (i >= butterfly->vectorLength())
             return false;
@@ -298 +298 @@
         
     case ALL_DOUBLE_INDEXING_TYPES: {
-        Butterfly* butterfly = thisObject->m_butterfly;
+        Butterfly* butterfly = thisObject->butterfly();
         if (i >= butterfly->vectorLength())
             return false;
@@ -438 +438 @@
         
     case ALL_CONTIGUOUS_INDEXING_TYPES: {
-        Butterfly* butterfly = thisObject->m_butterfly;
+        Butterfly* butterfly = thisObject->butterfly();
         if (propertyName >= butterfly->vectorLength())
             break;
@@ -461 +461 @@
             return;
         }
-        Butterfly* butterfly = thisObject->m_butterfly;
+        Butterfly* butterfly = thisObject->butterfly();
         if (propertyName >= butterfly->vectorLength())
             break;
@@ -550 +550 @@
     Butterfly* newButterfly = storage->butterfly()->resizeArray(vm, this, structure(), 0, ArrayStorage::sizeFor(0));
     RELEASE_ASSERT(newButterfly);
-    
-    m_butterfly = newButterfly;
     newButterfly->arrayStorage()->m_indexBias = 0;
     newButterfly->arrayStorage()->setVectorLength(0);
     newButterfly->arrayStorage()->m_sparseMap.set(vm, this, map);
+    setButterflyWithoutChangingStructure(vm, newButterfly);
     
     return newButterfly->arrayStorage();
@@ -602 +601 @@
     unsigned vectorLength = std::max(length, BASE_VECTOR_LEN);
     Butterfly* newButterfly = Butterfly::createOrGrowArrayRight(
-        m_butterfly, vm, this, structure(), structure()->outOfLineCapacity(), false, 0,
+        m_butterfly.get(), vm, this, structure(), structure()->outOfLineCapacity(), false, 0,
         elementSize * vectorLength);
     newButterfly->setPublicLength(length);
@@ -653 +652 @@
     ASSERT_UNUSED(oldType, !hasIndexedProperties(oldType));
     Butterfly* newButterfly = Butterfly::createOrGrowArrayRight(
-        m_butterfly, vm, this, structure(), structure()->outOfLineCapacity(), false, 0,
+        m_butterfly.get(), vm, this, structure(), structure()->outOfLineCapacity(), false, 0,
         ArrayStorage::sizeFor(vectorLength));
     RELEASE_ASSERT(newButterfly);
@@ -1297 +1296 @@
     case ALL_INT32_INDEXING_TYPES:
     case ALL_CONTIGUOUS_INDEXING_TYPES: {
-        Butterfly* butterfly = thisObject->m_butterfly;
+        Butterfly* butterfly = thisObject->butterfly();
         if (i >= butterfly->vectorLength())
             return true;
@@ -1305 +1304 @@
         
     case ALL_DOUBLE_INDEXING_TYPES: {
-        Butterfly* butterfly = thisObject->m_butterfly;
+        Butterfly* butterfly = thisObject->butterfly();
         if (i >= butterfly->vectorLength())
             return true;
@@ -1481 +1480 @@
     case ALL_INT32_INDEXING_TYPES:
     case ALL_CONTIGUOUS_INDEXING_TYPES: {
-        Butterfly* butterfly = object->m_butterfly;
+        Butterfly* butterfly = object->butterfly();
         unsigned usedLength = butterfly->publicLength();
         for (unsigned i = 0; i < usedLength; ++i) {
@@ -1492 +1491 @@
         
     case ALL_DOUBLE_INDEXING_TYPES: {
-        Butterfly* butterfly = object->m_butterfly;
+        Butterfly* butterfly = object->butterfly();
         unsigned usedLength = butterfly->publicLength();
         for (unsigned i = 0; i < usedLength; ++i) {
@@ -1876 +1875 @@
     if (i >= MAX_ARRAY_INDEX - 1
         || (i >= MIN_SPARSE_ARRAY_INDEX
-            && !isDenseEnoughForVector(i, countElements<indexingShape>(m_butterfly)))
+            && !isDenseEnoughForVector(i, countElements<indexingShape>(butterfly())))
         || indexIsSufficientlyBeyondLengthForSparseMap(i, m_butterfly->vectorLength())) {
         ASSERT(i <= MAX_ARRAY_INDEX);
@@ -2313 +2312 @@
         
     case ALL_INT32_INDEXING_TYPES:
-        return countElements<Int32Shape>(m_butterfly);
+        return countElements<Int32Shape>(butterfly());
         
     case ALL_DOUBLE_INDEXING_TYPES:
-        return countElements<DoubleShape>(m_butterfly);
+        return countElements<DoubleShape>(butterfly());
         
     case ALL_CONTIGUOUS_INDEXING_TYPES:
-        return countElements<ContiguousShape>(m_butterfly);
+        return countElements<ContiguousShape>(butterfly());
         
     default:
@@ -2353 +2352 @@
         if (!newButterfly)
             return false;
-        m_butterfly = newButterfly;
         newButterfly->arrayStorage()->setVectorLength(newVectorLength);
+        setButterflyWithoutChangingStructure(vm, newButterfly);
         return true;
     }
@@ -2367 +2366 @@
     if (!newButterfly)
         return false;
-    
-    m_butterfly = newButterfly;
     newButterfly->arrayStorage()->setVectorLength(newVectorLength);
     newButterfly->arrayStorage()->m_indexBias = newIndexBias;
+    setButterflyWithoutChangingStructure(vm, newButterfly);
     return true;
 }
@@ -2385 +2383 @@
     unsigned oldVectorLength = m_butterfly->vectorLength();
     DeferGC deferGC(vm.heap);
-    m_butterfly = m_butterfly->growArrayRight(
+    m_butterfly.set(vm, this, m_butterfly->growArrayRight(
         vm, this, structure(), structure()->outOfLineCapacity(), true,
         oldVectorLength * sizeof(EncodedJSValue),
-        newVectorLength * sizeof(EncodedJSValue));
+        newVectorLength * sizeof(EncodedJSValue)));
+
+    m_butterfly->setVectorLength(newVectorLength);
+
     if (hasDouble(structure()->indexingType())) {
         for (unsigned i = oldVectorLength; i < newVectorLength; ++i)
             m_butterfly->contiguousDouble().data()[i] = QNaN;
     }
-    m_butterfly->setVectorLength(newVectorLength);
 }
 

trunk/Source/JavaScriptCore/runtime/JSObject.h

@@ -28 +28 @@
 #include "ArrayStorage.h"
 #include "Butterfly.h"
+#include "CallFrame.h"
 #include "ClassInfo.h"
 #include "CommonIdentifiers.h"
-#include "CallFrame.h"
+#include "CopyWriteBarrier.h"
 #include "DeferGC.h"
+#include "Heap.h"
+#include "IndexingHeaderInlines.h"
 #include "JSCell.h"
 #include "PropertySlot.h"
@@ -540 +543 @@
     }
         
-    const Butterfly* butterfly() const { return m_butterfly; }
-    Butterfly* butterfly() { return m_butterfly; }
+    const Butterfly* butterfly() const { return m_butterfly.get(); }
+    Butterfly* butterfly() { return m_butterfly.get(); }
         
     ConstPropertyStorage outOfLineStorage() const { return m_butterfly->propertyStorage(); }
@@ -606 +609 @@
 
     JS_EXPORT_PRIVATE Butterfly* growOutOfLineStorage(VM&, size_t oldSize, size_t newSize);
-    void setButterflyWithoutChangingStructure(Butterfly*); // You probably don't want to call this.
+    void setButterflyWithoutChangingStructure(VM&, Butterfly*);
         
     void setStructure(VM&, Structure*);
@@ -976 +979 @@
     
 protected:
-    Butterfly* m_butterfly;
+    CopyWriteBarrier<Butterfly> m_butterfly;
 };
 
@@ -1136 +1139 @@
 inline void JSObject::setStructureAndButterfly(VM& vm, Structure* structure, Butterfly* butterfly)
 {
-    m_butterfly = butterfly;
+    ASSERT(structure);
+    ASSERT(!butterfly == (!structure->outOfLineCapacity() && !structure->hasIndexingHeader(this)));
+    m_butterfly.set(vm, this, butterfly);
     setStructure(vm, structure);
 }
@@ -1147 +1152 @@
 }
 
-inline void JSObject::setButterflyWithoutChangingStructure(Butterfly* butterfly)
-{
-    m_butterfly = butterfly;
+inline void JSObject::setButterflyWithoutChangingStructure(VM& vm, Butterfly* butterfly)
+{
+    m_butterfly.set(vm, this, butterfly);
 }
 
@@ -1179 +1184 @@
 inline JSObject::JSObject(VM& vm, Structure* structure, Butterfly* butterfly)
     : JSCell(vm, structure)
-    , m_butterfly(butterfly)
+    , m_butterfly(vm, this, butterfly)
 {
     vm.heap.ascribeOwner(this, butterfly);
@@ -1303 +1308 @@
 
         DeferGC deferGC(vm.heap);
-        Butterfly* newButterfly = m_butterfly;
+        Butterfly* newButterfly = butterfly();
         if (structure()->putWillGrowOutOfLineStorage())
             newButterfly = growOutOfLineStorage(vm, structure()->outOfLineCapacity(), structure()->suggestedNewOutOfLineStorageCapacity());
@@ -1324 +1329 @@
     if (Structure* structure = Structure::addPropertyTransitionToExistingStructure(this->structure(), propertyName, attributes, specificFunction, offset)) {
         DeferGC deferGC(vm.heap);
-        Butterfly* newButterfly = m_butterfly;
-        if (currentCapacity != structure->outOfLineCapacity())
+        Butterfly* newButterfly = butterfly();
+        if (currentCapacity != structure->outOfLineCapacity()) {
+            ASSERT(structure != this->structure());
             newButterfly = growOutOfLineStorage(vm, currentCapacity, structure->outOfLineCapacity());
+        }
 
         validateOffset(offset);
@@ -1437 +1444 @@
     DeferGC deferGC(vm.heap);
     ASSERT(!value.isGetterSetter() && !(attributes & Accessor));
-    Butterfly* newButterfly = m_butterfly;
+    Butterfly* newButterfly = m_butterfly.get();
     if (structure()->putWillGrowOutOfLineStorage())
         newButterfly = growOutOfLineStorage(vm, structure()->outOfLineCapacity(), structure()->suggestedNewOutOfLineStorageCapacity());

trunk/Source/JavaScriptCore/runtime/MapData.cpp

@@ -199 +199 @@
     size_t requiredSize = std::max(m_capacity + (m_capacity / 2) + 1, minimumMapSize);
     void* newStorage = 0;
+    DeferGC defer(*callFrame->heap());
     if (!callFrame->heap()->tryAllocateStorage(this, requiredSize * sizeof(Entry), &newStorage)) {
         throwOutOfMemoryError(callFrame);
         return false;
     }
-    DeferGC defer(*callFrame->heap());
     Entry* newEntries = static_cast<Entry*>(newStorage);
     if (shouldPack())
@@ -209 +209 @@
     else
         replaceBackingStore(newEntries, requiredSize);
+    Heap::writeBarrier(this);
     return true;
 }

trunk/Source/JavaScriptCore/runtime/Structure.cpp

@@ -274 +274 @@
     
     if (table) {
-        table = table->copy(vm, 0, numberOfSlotsForLastOffset(m_offset, m_inlineCapacity));
+        table = table->copy(vm, structure, numberOfSlotsForLastOffset(m_offset, m_inlineCapacity));
         structure->m_lock.unlock();
     }